Microsoft: Maximum number of groupmemberships for users (MaxTokenSize)

Today on of my colleagues was telling me about a Windows 7 deployment that was configured trough GPP but he noticed that not all the GPP settings where set somehow. He found a quick fix by removing the user from all the groups he was nested in, log the user in and add the user to all the groups again. When I heard this problem I knew I had seen this before in an environment with users in +200 nested groups in Windows 2008 R2. So I told him it could be the MaxTokenSize that has to be set to a proper value, Microsoft has an KB article to do so.

On a domain controller that is running Windows 2000, Windows Server 2003, Windows Server 2008 or Windows Server 2008 R2, you can use Group Policy to add the following registry entry to multiple computers:

On the Action menu, point to All Tasks, and then click Add/Remove Templates.

Click Add.

Click to select the MaxTokenSize.adm file that you created in step 3, and then click Open.

Click Close.

On a Windows 2000-based domain controller, click to clear Show Policies Only on the Viewmenu.

On a Windows Server 2003-based domain controller, follow these steps:

On the View menu, click Filtering.

Click to clear the Only show policy settings that can be fully managed check box, and then click OK.

In Windows Server 2008 domains and in Windows Server 2008 R2 domains, you can do this by modifying an existing Group Policy Object (GPO) or by creating a new GPO. Make sure that the GPO is linked to the correct portion of your Active Directory hierarchy so that the GPO applies to the computer accounts of the computers that you want to modify. To create the MaxTokenSize value setting in a GPO, follow these steps:

Open the Group Policy Management Console (Gpmc.msc). To do this, click Start, click Run, type gpmsc.msc, and then click OK.

In the Group Policy Management Console, right-click a Group Policy object, and then click Edit to open the Group Policy Management Editor window.

Kees Baggerman

Kees Baggerman is a Staff Solutions Architect for End User Computing at Nutanix. Kees has driven numerous Microsoft and Citrix, and RES infrastructures functional/technical designs, migrations, implementations engagements over the years.